Switch virtual and physical addresses to lists to support dumping multiple files at once #1319

Author: atcuno

volatility3/framework/plugins/windows/dumpfiles.py

@@ -44,13 +44,15 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 description="Process ID to include (all other processes are excluded)",
                 optional=True,
             ),
-            requirements.IntRequirement(
+            requirements.ListRequirement(
                 name="virtaddr",
+                element_type=int,
                 description="Dump a single _FILE_OBJECT at this virtual address",
                 optional=True,
             ),
-            requirements.IntRequirement(
+            requirements.ListRequirement(
                 name="physaddr",
+                element_type=int,
                 description="Dump a single _FILE_OBJECT at this physical address",
                 optional=True,
             ),
@@ -318,6 +320,7 @@ def _generator(self, procs: List, offsets: List):
                         )
 
         elif offsets:
+
             # Now process any offsets explicitly requested by the user.
             for offset, is_virtual in offsets:
                 try:
@@ -355,10 +358,14 @@ def run(self):
         ):
             raise ValueError("Cannot use filter flag with an address flag")
 
-        if self.config.get("virtaddr", None) is not None:
-            offsets.append((self.config["virtaddr"], True))
-        elif self.config.get("physaddr", None) is not None:
-            offsets.append((self.config["physaddr"], False))
+        if self.config.get("virtaddr"):
+            for virtaddr in self.config["virtaddr"]:
+                offsets.append((virtaddr, True))
+
+        elif self.config.get("physaddr"):
+            for physaddr in self.config["physaddr"]:
+                offsets.append((physaddr, False))
+
         else:
             filter_func = pslist.PsList.create_pid_filter(
                 [self.config.get("pid", None)]